Commit Graph

33 Commits

Author SHA1 Message Date
luoyaoming adae2bc249
!6 rv64g架构 closefrom函数报错修复
Merge pull request !6 from 范小气/openkylin/yangtze
2024-03-01 01:49:18 +00:00
fanxiaoqi 43daaacc39 repair ok2 error 2024-02-29 10:57:59 +00:00
luoyaoming 8aee1c1351
!5 rv64g架构 编译报错 libc6-dev 升级2.36后报错 closefrom函数类型
Merge pull request !5 from 范小气/openkylin/yangtze
2024-02-23 01:27:18 +00:00
fanxiaoqi 2bcf672130 remove changelog.dch 2024-02-22 18:17:57 +08:00
fanxiaoqi 37128a4ad6 remove int closefrom to support libc6-dev 2.36 2024-02-22 18:17:21 +08:00
Lu zhiping 2d0df78df5 changed debian/source/format to native 2022-06-16 16:57:14 +08:00
Colin Watson f70d7ae8c1 Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for"
This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.

The IPQoS default changes have some unfortunate interactions with
iptables (see https://bugs.debian.org/923880) and VMware, so I'm
temporarily reverting them until those have been fixed.

Bug-Debian: https://bugs.debian.org/923879
Bug-Debian: https://bugs.debian.org/926229
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370
Last-Update: 2019-04-08

Patch-Name: revert-ipqos-defaults.patch

Gbp-Pq: Name revert-ipqos-defaults.patch
2022-06-16 16:57:13 +08:00
Colin Watson ca8b93efcb Work around conch interoperability failure
Twisted Conch fails to read private keys in the new format
(https://twistedmatrix.com/trac/ticket/9515).  Work around this until it
can be fixed in Twisted.

Forwarded: not-needed
Last-Update: 2019-10-09

Patch-Name: conch-old-privkey-format.patch

Gbp-Pq: Name conch-old-privkey-format.patch
2022-06-16 16:57:13 +08:00
Colin Watson c33394086c Restore reading authorized_keys2 by default
Upstream seems to intend to gradually phase this out, so don't assume
that this will remain the default forever.  However, we were late in
adopting the upstream sshd_config changes, so it makes sense to extend
the grace period.

Bug-Debian: https://bugs.debian.org/852320
Forwarded: not-needed
Last-Update: 2017-03-05

Patch-Name: restore-authorized_keys2.patch

Gbp-Pq: Name restore-authorized_keys2.patch
2022-06-16 16:57:13 +08:00
Colin Watson f8f63fbd2c Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).

ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).

ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.

ssh: Enable GSSAPIAuthentication by default.

ssh: Include /etc/ssh/ssh_config.d/*.conf.

sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.

sshd: Enable X11Forwarding.

sshd: Set 'AcceptEnv LANG LC_*' by default.

sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.

sshd: Include /etc/ssh/sshd_config.d/*.conf.

Document all of this.

Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2020-02-21

Patch-Name: debian-config.patch

Gbp-Pq: Name debian-config.patch
2022-06-16 16:57:13 +08:00
Michael Biebl beb50438f4 Add systemd readiness notification support
Bug-Debian: https://bugs.debian.org/778913
Forwarded: no
Last-Update: 2017-08-22

Patch-Name: systemd-readiness.patch

Gbp-Pq: Name systemd-readiness.patch
2022-06-16 16:57:13 +08:00
Vincent Untz 32113ac61d Give the ssh-askpass-gnome window a default icon
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28

Patch-Name: gnome-ssh-askpass2-icon.patch

Gbp-Pq: Name gnome-ssh-askpass2-icon.patch
2022-06-16 16:57:13 +08:00
Kurt Roeckx 79c6601799 Don't check the status field of the OpenSSL version
There is no reason to check the version of OpenSSL (in Debian).  If it's
not compatible the soname will change.  OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same.  Remove that check on the status since
it doesn't tell you anything about how compatible that version is.

Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: https://bugs.debian.org/93581
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
Last-Update: 2014-10-07

Patch-Name: no-openssl-version-status.patch

Gbp-Pq: Name no-openssl-version-status.patch
2022-06-16 16:57:13 +08:00
Colin Watson d595449837 Document consequences of ssh-agent being setgid in ssh-agent(1)
Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2020-02-21

Patch-Name: ssh-agent-setgid.patch

Gbp-Pq: Name ssh-agent-setgid.patch
2022-06-16 16:57:13 +08:00
Colin Watson de4759ea28 Document that HashKnownHosts may break tab-completion
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
Last-Update: 2013-09-14

Patch-Name: doc-hash-tab-completion.patch

Gbp-Pq: Name doc-hash-tab-completion.patch
2022-06-16 16:57:13 +08:00
Colin Watson 56e786a6f8 ssh(1): Refer to ssh-argv0(1)
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to.  Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).

Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14

Patch-Name: ssh-argv0.patch

Gbp-Pq: Name ssh-argv0.patch
2022-06-16 16:57:13 +08:00
Colin Watson 4141149348 Adjust various OpenBSD-specific references in manual pages
No single bug reference for this patch, but history includes:
 http://bugs.debian.org/154434 (login.conf(5))
 http://bugs.debian.org/513417 (/etc/rc)
 http://bugs.debian.org/530692 (ssl(8))
 https://bugs.launchpad.net/bugs/456660 (ssl(8))

Forwarded: not-needed
Last-Update: 2017-10-04

Patch-Name: openbsd-docs.patch

Gbp-Pq: Name openbsd-docs.patch
2022-06-16 16:57:13 +08:00
Tomas Pospisek a7c9c362e4 Install authorized_keys(5) as a symlink to sshd(8)
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
Bug-Debian: http://bugs.debian.org/441817
Last-Update: 2013-09-14

Patch-Name: authorized-keys-man-symlink.patch

Gbp-Pq: Name authorized-keys-man-symlink.patch
2022-06-16 16:57:13 +08:00
Kees Cook f93c6d7faf Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.

Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2020-02-21

Patch-Name: debian-banner.patch

Gbp-Pq: Name debian-banner.patch
2022-06-16 16:57:13 +08:00
Matthew Vernon 01585ac808 Include the Debian version in our identification
This makes it easier to audit networks for versions patched against security
vulnerabilities.  It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings.  (However, see debian-banner.patch.)

Forwarded: not-needed
Last-Update: 2019-06-05

Patch-Name: package-versioning.patch

Gbp-Pq: Name package-versioning.patch
2022-06-16 16:57:13 +08:00
Scott Moser 02aa38bee0 Mention ssh-keygen in ssh fingerprint changed warning
Author: Chris Lamb <lamby@debian.org>
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
Last-Update: 2017-08-22

Patch-Name: mention-ssh-keygen-on-keychange.patch

Gbp-Pq: Name mention-ssh-keygen-on-keychange.patch
2022-06-16 16:57:13 +08:00
Colin Watson e4d9d88e0b Force use of DNSSEC even if "options edns0" isn't in resolv.conf
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.

Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06

Patch-Name: dnssec-sshfp.patch

Gbp-Pq: Name dnssec-sshfp.patch
2022-06-16 16:57:13 +08:00
Colin Watson 9f1762840d Look for $SHELL on the path for ProxyCommand/LocalCommand
There's some debate on the upstream bug about whether POSIX requires this.
I (Colin Watson) agree with Vincent and think it does.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
Bug-Debian: http://bugs.debian.org/492728
Last-Update: 2020-02-21

Patch-Name: shell-path.patch

Gbp-Pq: Name shell-path.patch
2022-06-16 16:57:13 +08:00
Nicolas Valcárcel b7a642749f Adjust scp quoting in verbose mode
Tweak scp's reporting of filenames in verbose mode to be a bit less
confusing with spaces.

This should be revised to mimic real shell quoting.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945
Last-Update: 2010-02-27

Patch-Name: scp-quoting.patch

Gbp-Pq: Name scp-quoting.patch
2022-06-16 16:57:13 +08:00
Colin Watson 60ef576c08 Allow harmless group-writability
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner.  Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem).  Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
Last-Update: 2019-10-09

Patch-Name: user-group-modes.patch

Gbp-Pq: Name user-group-modes.patch
2022-06-16 16:57:13 +08:00
Natalie Amery fb02d34222 "LogLevel SILENT" compatibility
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
match the behaviour of non-free SSH, in which -q does not suppress fatal
errors.  However, this was unintentionally broken in 1:4.6p1-2 and nobody
complained, so we've dropped most of it.  The parts that remain are basic
configuration file compatibility, and an adjustment to "Pseudo-terminal will
not be allocated ..." which should be split out into a separate patch.

Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2013-09-14

Patch-Name: syslog-level-silent.patch

Gbp-Pq: Name syslog-level-silent.patch
2022-06-16 16:57:13 +08:00
Richard Kettlewell 636783df82 Various keepalive extensions
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval.  (We're probably stuck with this bit for
compatibility.)

In batch mode, default ServerAliveInterval to five minutes.

Adjust documentation to match and to give some more advice on use of
keepalives.

Author: Ian Jackson <ian@chiark.greenend.org.uk>
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2020-02-21

Patch-Name: keepalive-extensions.patch

Gbp-Pq: Name keepalive-extensions.patch
2022-06-16 16:57:13 +08:00
Colin Watson 993e298325 Accept obsolete ssh-vulnkey configuration options
These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.

Last-Update: 2014-02-09

Patch-Name: ssh-vulnkey-compat.patch

Gbp-Pq: Name ssh-vulnkey-compat.patch
2022-06-16 16:57:13 +08:00
Manoj Srivastava ca25cb834b Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change.  In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2020-02-21

Patch-Name: selinux-role.patch

Gbp-Pq: Name selinux-role.patch
2022-06-16 16:57:12 +08:00
Colin Watson 592f71b99f Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7.  See this message
and thread:

  https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html

It is true that this reduces preauth attack surface in sshd.  On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.

It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.

Forwarded: not-needed
Last-Update: 2019-06-05

Patch-Name: restore-tcp-wrappers.patch

Gbp-Pq: Name restore-tcp-wrappers.patch
2022-06-16 16:57:12 +08:00
Simon Wilkinson 1a20caf1c8 GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years.  This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface.  This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."

However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have).  It seems to have a generally good
security history.

Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2020-02-21

Patch-Name: gssapi.patch

Gbp-Pq: Name gssapi.patch
2022-06-16 16:57:12 +08:00
openKylinBot 619b31ff1d Import Debian changes 1:8.2p1-ok1
openssh (1:8.2p1-ok1) yangtze; urgency=medium

  * Build for openKylin.
2022-06-16 16:57:06 +08:00
Lu zhiping 1968fef375 Import Upstream version 8.2p1 2022-06-16 16:57:06 +08:00